US20100158327A1

Movatterモバイル変換

Info

Publication number: US20100158327A1
Application number: US12/340,909
Authority: US
Inventors: Dan Kangas; Regina Dawn Kangas
Original assignee: International Business Machines Corp
Current assignee: International Business Machines Corp
Priority date: 2008-12-22
Filing date: 2008-12-22
Publication date: 2010-06-24
Also published as: US8605959B2

Abstract

An apparatus, system, and method are disclosed for multi-factor authentication using a biometric scanner. The apparatus includes an input module that receives a biometric scan and a verification sequence that are entered by a user using a biometric reader. The verification sequence may be a fingerprint scanned at multiple angles, or can be a series of symbols entered using the biometric scanner. A matching module compares the biometric scan with authenticated biometric scans stored in a data store and determines whether or not there is a matching authenticated biometric scan. The matching module also compares the verification sequence with an authenticated verification sequence that is stored in the data store. If both the biometric scan and the verification sequence match, an authentication module authenticates the user to the system. The user may enter the verification sequence by linearly or angularly displacing his finger on the biometric reader.

Description

FIELD OF THE INVENTION

This invention relates to the field of biometric authentication, and more particularly relates to validating both a biometric identifier and an associated code.

BACKGROUNDDescription of the Related Art

Security is increasingly important in today's world. One result of this has been an increase in the use of biometric scanning as a way to authenticate people trying to access secure locations or trying to access secure information. For example, many computers have built-in fingerprint readers to authenticate users. Certain buildings use facial recognition readers, palm readers, retinal readers, or others to ensure that only authorized personnel can access secure locations.

While biometric authentication offers a number of advantages, it is only a single layer of security. If a hacker gets a fingerprint, for example, of an authorized user, the hacker may be able to gain access to the secured information. For example, if oil or residue leaves a fingerprint on the fingerprint reader, a hacker might place a piece of white paper over the fingerprint reader. In certain systems, this spoofs the system into reading the fingerprint residue and allows the hacker access.

BRIEF SUMMARY

The present invention has been developed in response to the present state of the art, and in particular, in response to the problems and needs in the art that have not yet been fully solved by currently available biometric authentication systems. Accordingly, the present invention has been developed to provide an apparatus, system, and method for strong biometric authentication that overcome many or all of the above-discussed shortcomings in the art.

In one embodiment, the apparatus includes an input module that receives a biometric scan and a verification sequence entered by a user through a biometric reader. The biometric scan and the verification may be received separately or simultaneously; for example, the biometric scan may be derived from the verification sequence or while the verification sequence is entered. The verification sequence may include a set of biometric scans at multiple angles, or may include a set of symbols entered using the biometric reader.

A matching module validates the user entering the biometric scan. In one embodiment, validation includes comparing the biometric scan with one or more authenticated biometric scans stored in a data store and validating the biometric scan if the biometric scan matches at least one authenticated biometric scan. Validation may further include comparing the verification sequence with an authenticated verification sequence stored in the data store and validating the verification sequence if the verification sequence matches the authenticated verification sequence.

In one embodiment, the apparatus includes an authentication module that authenticates the user to a system if the matching module validates the verification sequence against the authenticated verification sequence, and if the matching module validates the biometric scan against the authenticated biometric scan. In another embodiment, the biometric scan is a fingerprint and the biometric reader is a fingerprint reader that measures displacement of a finger on the biometric reader in addition to reading a fingerprint. The biometric reader may be an area fingerprint reader or may also be a swipe fingerprint reader. In one embodiment, the user enters the verification sequence by displacing her finger on the biometric reader. Displacement may be angular displacement of the finger from a neutral position on the biometric reader, or may be linear displacement of the finger from a neutral position on the biometric reader.

The apparatus may also include a feedback module that associates symbols with various angular displacements. In such an embodiment, the verification sequence may comprise a set of symbols entered by the user through angular displacement. Similarly, the feedback module may associate symbols with various linear displacements, and the verification sequence may include a set of symbols entered by the user through linear displacement. In certain embodiments, the feedback module inserts a symbol associated with a particular displacement into the verification sequence if there is a change in direction of displacement or if a time interval completes with no change in the direction of displacement.

In one embodiment, the input module receives a verification sequence including biometric scans at variable angular displacements entered by a user using an area biometric reader. The matching module validates the verification sequence against an authenticated verification sequence that includes biometric scans at variable angular displacements for an authorized user. The validation may include comparing each biometric scan and its angular displacement in the verification sequence with a corresponding biometric scan and its angular displacement in the authenticated verification sequence, and determining that the verification sequence matches the authenticated verification sequence if each biometric scan and its angular displacement in the verification sequence matches each biometric scan and its angular displacement in the authenticated verification sequence. The authentication module authenticates the user if the matching module validates the verification sequence of biometric scans against the authenticated verification sequence of biometric scans.

Validating the verification sequence may also include determining that the number of biometric scans in the verification sequence is equal to the number of biometric scans in the authenticated verification sequence. The authenticated verification sequence may be a set of distinct fingerprint images, or may also be a single fingerprint image and a set of angular displacements for that fingerprint image.

A system of the present invention is also disclosed. The system includes a biometric reader that obtains a biometric scan and a verification sequence entered by a user, and may also include an input module, matching module, and authentication module as described above. The system may also include a monitor and/or speakers for providing audio and/or visual feedback to the user. In certain embodiments, the feedback module provides audio and/or visual feedback using the monitor and speakers.

Reference throughout this specification to features, advantages, or similar language does not imply that all of the features and advantages that may be realized with the present invention should be or are in any single embodiment of the invention. Rather, language referring to the features and advantages is understood to mean that a specific feature, advantage, or characteristic described in connection with an embodiment is included in at least one embodiment of the present invention. Thus, discussion of the features and advantages, and similar language, throughout this specification may, but do not necessarily, refer to the same embodiment.

Furthermore, the described features, advantages, and characteristics of the invention may be combined in any suitable manner in one or more embodiments. One skilled in the relevant art will recognize that the invention may be practiced without one or more of the specific features or advantages of a particular embodiment. In other instances, additional features and advantages may be recognized in certain embodiments that may not be present in all embodiments of the invention.

These features and advantages of the present invention will become more fully apparent from the following description and appended claims, or may be learned by the practice of the invention as set forth hereinafter.

BRIEF DESCRIPTION OF THE DRAWINGS

In order that the advantages of the invention will be readily understood, a more particular description of the invention briefly described above will be rendered by reference to specific embodiments that are illustrated in the appended drawings. Understanding that these drawings depict only typical embodiments of the invention and are not therefore to be considered limiting of the invention's scope, the invention will be described and explained with additional specificity and detail through the use of the accompanying drawings, in which:

FIG. 1ais an illustration of one embodiment of a user utilizing a system for multi-factor biometric authentication;

FIG. 1bis a schematic block diagram illustrating one embodiment of a system for multi-factor biometric authentication

FIG. 2 is a schematic block diagram illustrating one embodiment of an authentication apparatus;

FIG. 3 is a schematic block diagram illustrating two embodiments of a system presenting a graphic in support of multi-factor biometric authentication;

FIG. 4ais a schematic diagram illustrating one embodiment of a user entering a verification sequence;

FIG. 4bis a schematic block diagram illustrating one embodiment of a data store storing authenticated verification sequences;

FIG. 5 is a schematic diagram illustrating different embodiments of approaches to entering a verification sequence using biometric readers; and

FIG. 6 is a schematic flow chart diagram illustrating one embodiment of a method for multi-factor authentication.

DETAILED DESCRIPTION

Many of the functional units described in this specification have been labeled as modules, in order to more particularly emphasize their implementation independence. For example, a module may be implemented as a hardware circuit comprising custom VLSI circuits or gate arrays, off-the-shelf semiconductors such as logic chips, transistors, or other discrete components. A module may also be implemented in programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices or the like.

Modules may also be implemented in software for execution by various types of processors. An identified module of executable code may, for instance, comprise one or more physical or logical blocks of computer instructions which may, for instance, be organized as an object, procedure, or function. Nevertheless, the executables of an identified module need not be physically located together, but may comprise disparate instructions stored in different locations which, when joined logically together, comprise the module and achieve the stated purpose for the module.

Indeed, a module of executable code may be a single instruction, or many instructions, and may even be distributed over several different code segments, among different programs, and across several memory devices. Similarly, operational data may be identified and illustrated herein within modules, and may be embodied in any suitable form and organized within any suitable type of data structure. The operational data may be collected as a single data set, or may be distributed over different locations including over different storage devices, and may exist, at least partially, merely as electronic signals on a system or network. Where a module or portions of a module are implemented in software, the software portions are stored on one or more computer readable media.

Reference throughout this specification to “one embodiment,” “an embodiment,” or similar language means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, appearances of the phrases “in one embodiment,” “in an embodiment,” and similar language throughout this specification may, but do not necessarily, all refer to the same embodiment.

A computer readable medium may be any tangible medium capable of storing machine-readable instructions on a digital processing apparatus. A computer readable medium may be embodied by a transmission line, a compact disk, digital-video disk, a magnetic tape, a Bernoulli drive, a magnetic disk, a punch card, flash memory, integrated circuits, or other digital processing apparatus memory device.

An apparatus can be any piece of machinery, device, or tool that performs the functions described in connection with the apparatus. In certain embodiments, the apparatus includes a processor that reads instructions from a computer readable medium. In certain embodiments, the apparatus includes hardware circuits for performing the specified functions. In certain embodiments, the apparatus includes a combination of hardware and instructions stored on a computer readable medium executable by a processor.

Furthermore, the described features, structures, or characteristics of the invention may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided, such as examples of programming, software modules, user selections, network transactions, database queries, database structures, hardware modules, hardware circuits, hardware chips, etc., to provide a thorough understanding of embodiments of the invention. One skilled in the relevant art will recognize, however, that the invention may be practiced without one or more of the specific details, or with other methods, components, materials, and so forth. In other instances, well-known structures, materials, or operations are not shown or described in detail to avoid obscuring aspects of the invention.

The schematic flow chart diagrams included herein are generally set forth as logical flow chart diagrams. As such, the depicted order and labeled steps are indicative of one embodiment of the presented method. Other steps and methods may be conceived that are equivalent in function, logic, or effect to one or more steps, or portions thereof, of the illustrated method. Additionally, the format and symbols employed are provided to explain the logical steps of the method and are understood not to limit the scope of the method. Although various arrow types and line types may be employed in the flow chart diagrams, they are understood not to limit the scope of the corresponding method. Indeed, some arrows or other connectors may be used to indicate only the logical flow of the method. For instance, an arrow may indicate a waiting or monitoring period of unspecified duration between enumerated steps of the depicted method. Additionally, the order in which a particular method occurs may or may not strictly adhere to the order of the corresponding steps shown.

FIG. 1adepicts an illustration of auser350 using alaptop310 that has avalidation apparatus120 as described below. Theuser350 enters biometric information (in this case, fingerprint) using thebiometric reader114. Thebiometric reader114 authenticates theuser350 using the biometric information. In addition, theuser350 enters a verification sequences using thebiometric reader114. In one embodiment, the sequence is a series of numbers.

For example, as theuser350 moves his finger on thebiometric reader114, thelaptop310 may cause the graphic of the lock to spin. This allows theuser350 to enter a numerical sequence as the verification sequence. If the biometric information is validated against an authenticated biometric scan, and the verification sequence is validated against an authenticated verification sequence, theuser350 is authorized and given access to data on thelaptop310. As a result, thelaptop310 benefits from an additional layer of security in addition to simple biometric protection, but does not require additional hardware.

FIG. 1ais simply one example of a system using biometric information. Further embodiments are described below and in connection with other figures. The present invention is not limited to the embodiment depicted inFIG. 1a.

FIG. 1bdepicts a system for strong biometric authentication. The system includes ahost110, adata store112, and abiometric reader114. Thehost110 may be any device for which authentication is needed. In one embodiment, thehost110 performs some action after authentication such as granting access to data, unlocking a door, or other action. In one embodiment, thehost110 is a computer such as a laptop, Personal Digital Assistant (PDA), cell phone, desktop, blade center, or other type of computing system. In one embodiment, thehost110 is a controller that controls a door or gate to a secure area that is restricted to authorized personnel. Authentication may be required in a variety of contexts, and host110 is not limited to any particular situation.

Thedata store112 stores biometric authentication information. Thedata store112 may be any medium, memory device, or data structure capable of storing data. Adata store112 may be a flat file, a database, an object, or other construct capable of storing data. In certain embodiments, thedata store112 is incorporated into thehost110. Thedata store112 may also be separate from thehost110. In one embodiment, thedata store112 stores biometric and sequence information and can retrieve biometric information stored in thedata store112. Thedata store112 may also be a matching database with variable length fields to allow storing entries (such as the authenticated verification sequences described below) of variable lengths.

Thedata store112 may also include other information related to an authorized user such as a name, an identification number, photograph, a computer account number, or other information that may be used to identify a user and allow desired access. The biometric and sequence information may be correlated to a name, identification number, etc. for a user.

Thebiometric reader114 scans one or more biometrics of a user to obtain a biometric scan for the user. Many different biometrics, such as a fingerprint or a retinal image, can be used to uniquely identify an individual. Thebiometric reader114 may be a fingerprint reader, a retinal reader, a facial recognition reader, a palm reader, or other type of reader that captures a biometric scan of a user. Similarly, the biometric scan may be a scan of a fingerprint, an image of an eye, or other biometric identifier. Technology used to capture the biometric information may be Optical imaging, Thermal imaging, Electric field or wave, or any other technology that converts the distinctive biometric pattern into a digital or analog representation readable by a computing device. The biometric scan may be stored as a visual image, or may be stored as non-visual data derived from the particular biometric and which can be used to recognize the particular biometric pattern. In one embodiment, a biometric scan may be a bitmap file, pixmap file, a JPEG file, a minutae template file, or other known in the art.

Thehost110 includes avalidation apparatus120. Thevalidation apparatus120 authenticates a user to thehost110 based on information entered at thebiometric reader114. Thevalidation apparatus120 verifies that the biometric scan is legitimate and authorized, and also verifies the verification sequence entered by the user via thebiometric reader114. Thevalidation apparatus120 increases the security of thehost110 by using multi-factor authentication to authenticate the user to thehost110. In one embodiment, the multiple factors are entered using thebiometric reader114, eliminating the need for additional hardware.

FIG. 2 is an illustrative block diagram of one embodiment of avalidation apparatus120. Thevalidation apparatus120 includes aninput module210, amatching module212, and anauthentication module214. Theinput module210 receives a biometric scan and a verification sequence entered by a user through thebiometric reader114. The biometric scan may be a scan of a fingerprint, a hand, face, or other biometric identifier. In one embodiment, the verification sequence is a set of biometric scans at multiple angles. For example, the verification sequence may be a set of four fingerprint scans with the finger oriented at 45° for the first scan, 0° for the second scan, 90° for the third scan, and −22.5° for the fourth scan. In one embodiment, the verification sequence is a set of symbols entered using the biometric reader. For example, the verification sequence may be an alpha-numeric code or symbolic code. Symbols may be numbers, letters, icons, sounds, or other representation.

In certain embodiments, theinput module210 receives the biometric scan and the verification sequence directly from thebiometric reader114. In other embodiments, theinput module210 receives the biometric scan and the verification sequence indirectly from thebiometric reader114. That is, other elements may receive and process the sequence prior to passing it to theinput module210.

In one embodiment, the biometric scan and the verification sequence are entered by the user separately through thebiometric reader114. For example, theinput module210 may receive a single biometric scan, such as a finger print, authenticate it and then may separately receive angular or linear sequence information, such as derived from subsequent fingerprint scans. In this embodiment, if the biometric scan is a fingerprint, the received fingerprint may be used to match a stored finger print and the received angle information may be used separately to verify a sequence.

In certain embodiments, theinput module210 receives the verification sequence one item at a time, as the user enters the verification sequence. For example, theinput module210 may receive each fingerprint or symbol as it is entered by the user at thebiometric reader114. In certain embodiments, theinput module210 receives the verification sequence at once after the user has entered the complete sequence at thebiometric reader114.

Thematching module212 validates the user entering the biometric scan and verification sequence. In one embodiment, thematching module212 compares the biometric scan with an authenticated biometric scan stored in thedata store112. The authenticated biometric scan is a biometric scan of a known authorized user. For example, thedata store112 may hold fingerprint data (such as images, minutia files, etc) for all users who are authorized to have access to a particular system. Thematching module212 compares the fingerprint data the user currently enters at thebiometric reader114 with the authenticated fingerprint data the user initially enrolled that is stored in thedata store112. Thematching module212 validates the fingerprint data if it matches the authenticated fingerprint data.

Thematching module212 validates the biometric scan if the biometric scan matches the authenticated biometric scan. In one embodiment, thematching module212 uses a fingerprint searching and matching engine to compare biometric scans and determine whether or not there is a match. Where the biometric scans are fingerprints, thematching module212 may use minutiae-based matching techniques or correlation-based matching techniques. Thematching module212 may use a variety of search and matching technologies to search and match biometric scans.

Thematching module212 also compares the verification sequence with an authenticated verification sequence stored in thedata store112. In one embodiment, the authenticated verification sequence is a set of symbols entered by a known authorized user. The authorized user may enter the authenticated verification sequence when the user is being enrolled as an authorized user for the particular system. In another embodiment, the authorized user enters the authorized verification sequence using a keyboard when the user initially enrolls their biometric information (stores their fingerprints in the database).

Thematching module212 validates the verification sequence if the verification sequence matches the authenticated verification sequence. In one embodiment, thematching module212 requires an exact match prior to validating the verification sequence. For example, if the verification sequence is a numeric code such as 4-9-3 thematching module212 may require that the user enter the numeric code precisely.

In other embodiments, thematching module212 may require that the verification sequence be similar to the authenticated verification sequence and specify an error tolerance. For example, if the verification sequence is a set of fingerprints at varied angles, thematching module212 may require that the fingerprint image provided by the user and the fingerprint image in the verification sequence be close, but not a precise match. In addition, if the verification sequence is a set of fingerprint images at varied angles, thematching module212 may specify a tolerance of error in a particular angle. For example, thematching module212 may consider a fingerprint scanned at an angle of between 40° and 50° to qualify as matching the angle of a fingerprint at 45°.

In one embodiment, validating the verification sequence also includes verifying that the number of biometric scans or symbols in the verification sequence entered by the user is the same as the number of biometric scans in the authenticated verification sequence. For example, if the user enters verification sequence is 4-6-8-9, but the authenticated verification sequence is 4-6-8, thematching module212 may determine that the verification sequence is invalid even though it contains the correct authenticated verification sequence as a subset.

In one embodiment, thematching module212 validates the biometric data received by theinput module210 separately from validating the sequence information received by theinput module210. For example, thematching module212 may compare a fingerprint to a known fingerprint of a user as stored on a smart card, employee ID badge, or other portable medium capable of storing a finger print template or may find a fingerprint that matches a stored fingerprint in a large database of enrolled finger print templates. Thematching module212 may then validate the received sequence by matching a stored sequence associated with the user for which a matching fingerprint was found.

In another example, thematching module212 validates the biometric data received by theinput module210 along with validating the sequence information received by theinput module210. For example, if theinput module210 receives fingerprint information at various angles, thematching module212 could use one or more of the received fingerprints to match a stored fingerprint of an authorized user. Thematching module212 could simultaneously match an angle of each received fingerprint with multiple stored fingerprints at all possible angles of input for the user. Thematching module212 could match a single fingerprint from a set of received fingerprints and derive possible angles through calculation or could match each received fingerprint with stored templates of all possible angles.

Anauthentication module214 authenticates the user to the secure system, such as thehost110, if thematching module212 validates the verification sequence against the authenticated verification sequence and the biometric scan against the authenticated biometric scan. For example, when theauthentication module214 authenticates the user, the user may be granted access to a restricted area, a computer, a file, or other secure location or information.

In one embodiment, afeedback module216 provides the user with feedback to facilitate entering the verification sequence. For example, thefeedback module216 may provide a graphic or audio to help the user enter the verification sequence. Thefeedback module216 may also instruct thebiometric reader114 to act as a motion or displacement detector that allows the user to enter symbols for the verification symbol as described in greater detail below. Thefeedback module216 may also interpret the data provided by thebiometric reader114 and associate symbols with the motion detected by thebiometric reader114.

In one embodiment, theinput module210,matching module212,authentication module214, andfeedback module216 are implemented at the device driver level of a computer system. In other embodiments, thevalidation apparatus120 may be part of an operating system. Thevalidation apparatus120 may also be incorporated into thebiometric reader114 itself as firmware or microcode, or implemented as an end user application software. All or a portion of the

modules

210,212,214,216 may be in separate devices and/or locations. For example, theinput module210 may be collocated with abiometric reader114 while thematching module212,authentication module214, andfeedback module216 may reside at ahost110. One of skill in the art will recognize other ways to organize the

modules

210,212,214,216.

FIGS. 3aand3bshow embodiments of alaptop310 with abiometric reader114 that displays a graphic314 to facilitate multi-factor biometric authentication.FIG. 3ashows thelaptop310 displaying a login screen that includes a graphic314 of a lock. As shown inFIGS. 3aand3b, a system (whether or not it is a laptop310) may be equipped with a monitor for providing visual information and speakers for providing audio feedback to the user. In such embodiments, thefeedback module216 may provide visual feedback, audio feedback, or both, to the user.

In one embodiment, the graphic314 is an image of a common padlock type lock that responds with animated graphics as the user enters the biometric scan and verification sequence using thebiometric reader114. In one embodiment, the user first presents a biometric scan. When the biometric scan is authenticated, thefeedback module216 instructs thebiometric reader114 to operate in a displacement detection mode and the user is instructed to enter the verification sequence. In other embodiments, the biometric scan is derived directly as the user enters the verification sequence using thebiometric reader114.

In one embodiment, the user uses thebiometric reader114 to spin the numbers on the lock graphic314. The user may enter a verification sequence that is a numeric code using the lock, following which the numeric code is compared against an authenticated verification sequence that is a numeric code. In one embodiment, thebiometric reader114 is configured to act as a motion detector. For example, a swipe fingerprint reader may be set up to measure the linear displacement of a finger on the biometric reader. As the user linearly displaces his finger from a neutral position on thebiometric reader114, thefeedback module216 alters the graphic314 incrementally to show the dial on the lock spinning. In one embodiment, thebiometric reader114 is an area fingerprint reader which is set up to measure angular displacement of a finger on the biometric reader. As the user angularly displaces his finger from a neutral position on thebiometric reader114, the graphic314 shows the dial on the lock spinning. In certain embodiments, audio feedback, such as clicking or audio number callouts, may provide additional feedback to help the user naturally spin the lock using thebiometric reader114.

In certain embodiments, thefeedback module216 associates symbols with various angular displacements or various linear displacements. Thefeedback module216 may determine that the user intends to enter a particular number if he pauses at a particular number for a predetermined period of time. In other embodiments, like a regular padlock, thefeedback module216 determines that the user intends to enter a particular number when the user reverses the direction of her motion. Thus, thefeedback module216 may insert a symbol that is associated with a particular displacement into the verification sequence if the user changes the direction of the displacement or if some predetermined time interval completes during which time there was no change in the direction of displacement.

FIG. 3bshows a second exemplary embodiment of a graphic314 that may be used to enter symbols into the verification sequence. As the user alters the displacement of the particular biometric on thebiometric reader114, thefeedback module216 may cause the pointer to move across the line below the numbers and letters. The user can thus control the pointer and use thebiometric reader114 to enter the required verification sequence.

FIG. 4ashows one embodiment of a user entering a verification sequence that includes a set of biometric scans at multiple angles. In the depicted embodiment, the biometric scans are fingerprints; however, the biometric scans could be other types of biometric scans as noted above. In one embodiment, the user enters a first biometric scan at 0°, which is then validated as described above. In one embodiment, the user is prompted to enter the verification sequence only after the 0° scan is validated. In other embodiments, the user simply enters the first biometric scan of the verification sequence at the preset angle, and authentication of the biometric scan occurs based on that entry.

Prior to using thevalidation apparatus120 to gain access to the system, the user or an administrator typically sets up an account for the user in the system by a process commonly known as enrollment. In typical embodiments, this includes getting an authenticated biometric scan from the user and getting an authenticated verification sequence. Where the verification sequence is a set of biometric scans at multiple angles, as shown inFIG. 4a, the user may enter the verification sequence by scanning his finger a number of times as shown to establish the verification sequence. In other embodiments, the user may enter an authenticated biometric scan and then simply enter the angles in the authorized verification sequence using a keypad.

In one embodiment, thedata store112 stores a single authenticated biometric scan and the angles of the authenticated verification sequence, as shown in authenticatedverification sequence410a.In such an embodiment, comparing the verification sequence with the authenticated verification sequence may entail rotating the authenticated biometric scan by the specified angle and comparing the rotated biometric scan with the particular entry in the verification sequence as entered by the user.

In other embodiments, thedata store112 stores unique biometric scans for each entry in the verification sequence, as shown in authenticatedverification sequence410a. In such an embodiment, comparing the verification sequence with the authenticated verification sequence may entail comparing each biometric scan in the verification sequence against a corresponding biometric scan in the authenticatedverification sequence410a. Thus, the first entry in the verification sequence is compared with the first entry in the authenticated verification sequence, and so on until each element of the verification sequence is compared and validated.

In one embodiment, when the user enters the first biometric scan (regardless of whether or not the first biometric scan is part of the verification sequence) thevalidation apparatus120 finds an entry within thedata store112 with a matching authenticated biometric scan. If no match is found, the user is denied access. If a match is found, the user must still enter the verification sequence correctly; however, subsequent entries are compared only against those entries in the verification sequence. As a result, thedata store112 does not need to be searched completely for each entry in the verification sequence.

Thevalidation apparatus120 may thus record multiple presses of the same fingerprint in different geometric orientations, which is used as a unique code in the enrollment and authentication process. The system is enhanced with a second layer of security, but does not require additional hardware to get the additional security layer.

WhileFIG. 4bshows thedata store112 images of fingerprints in thedata store112, the representation is for ease of understanding. The biometric scans may be images, minutiae files, or other representations of biometric scans known in the art. In addition, the biometric scans may be palm prints, retinal scans, facial recognition scans, or other varieties of biometric scans.

In an embodiment such as that associated withFIG. 4, theinput module210 receives a verification sequence that includes biometric scans at variable angular displacements entered by the user using an areabiometric reader114. Thematching module212 may then validate the verification sequence against an authenticated verification sequence (such as that shown in410aor410b) of an authorized user that is made up of a plurality of biometric scans at variable angular displacements.

In one embodiment, thematching module212 compares each biometric scan and its angular displacement in the verification sequence with a corresponding biometric scan and its angular displacement in the authenticated verification sequence, whether in the form shown in410aor410b.Thematching module212 may determine that the verification sequence matches the authorized verification sequence if each biometric scan, and its angular displacement, matches each biometric scan and associated angular displacement in the authenticatedverification sequence410b.The authentication module then authenticates the user if thematching module212 validates the verification sequence against the authenticated verification sequence.

FIG. 5 shows one embodiment of a user entering a verification sequence that includes a set of symbols using a biometric reader.FIG. 5ashows a user entering symbols using anarea fingerprint reader510. In the depicted embodiment, thearea fingerprint reader510 detects angular displacement of the finger from a neutral position, such as the 0° position shown in the middle figure ofFIG. 5a. In one embodiment, as the user changes the angular displacement from the 0° position to a 90° position, as shown in the first figure ofFIG. 5a, the dial on the graphic314 moves 180° in a counter-clockwise direction. As the user changes the angular displacement from the 0° position to a −90° position, as shown in the third figure ofFIG. 5a, the dial on the graphic314 moves 180° in a clockwise direction. This allows the user to enter the full range of digits on the graphic314 by changing the angle of the finger on thearea fingerprint reader510. The relationship between changes in angular displacement and corresponding changes in the symbols on the graphic314 may, of course, vary from the example given above.

In another example, a user may rotate a finger clockwise to move the digits on the graphic314 clockwise, return the finger to a neutral position to stop the graphic314 from moving digits, and rotate the finger counter-clockwise direction to move the graphic314 counter-clockwise. In a further example, an amount of angular displacement of the finger determines a speed at which the graphic314 rotates digits so increasing angular displacement of the finger speeds up number movement and decreasing angular displacement causes rotation of digits in the graphic314 to slow or stop.

FIG. 5bshows one embodiment of a user entering a verification sequence that includes a set of symbols using a biometric reader that is aswipe fingerprint reader512. In one embodiment, as the user moves the finger up, as shown by the direction of the arrow in the first figure inFIG. 5b, the dial on the graphic314 rotates counter-clockwise. Conversely, as the user moves the finger down, the dial on the graphic314 rotates clockwise. The above relationship is merely one example of a possible implementation, and a variety of different implementations that match motion to changes in the graphics may be implemented.

FIG. 6 is an illustration of one embodiment of a method600 for authenticating a user using abiometric reader114. In one embodiment, the method includes receiving610 a biometric scan and a verification sequence entered by a user through abiometric reader114. The verification sequence may be a set of biometric scans, or may alternatively be a set of symbols entered using thebiometric reader114. In one embodiment, theinput module210 receives the biometric scan and verification sequence.

The method also includes comparing612 the biometric scan with an authenticated biometric scan. If the biometric scan matches the authenticated biometric scan, the biometric scan is validated. In one embodiment, thematching module212 makes the comparison and validates the biometric scan.

The method also includes comparing614 the verification sequence with an authenticated verification sequence stored in the data store. If the verification sequence matches the authenticated verification sequence, the verification sequence entered by the user is validated. In one embodiment, thematching module212 makes the comparison and validates the verification sequence.

As noted above, the

steps

612 and614 may, in certain embodiments, be combined. For example, the biometric scan may be compared and authenticated in connection with comparing the verification sequence with an authenticated verification sequence. Regardless of whether the steps are separate or combined, both the biometric scan and the verification sequence are compared and validated such that a user entering a valid verification sequence but with a wrong biometric (such as a fingerprint) is not authenticated, nor is a user with a valid biometric but an incorrect verification sequence.

The method further includes authenticating616 the user to the system if the biometric scan and the verification sequence are validated. In one embodiment, theauthentication module214 authenticates the user in response to thematching module212 validating both the biometric scan and the verification sequence. After authentication, the user may be granted appropriate access to the system.

The present invention may be embodied in other specific forms without departing from its spirit or essential characteristics. The described embodiments are to be considered in all respects only as illustrative and not restrictive. The scope of the invention is, therefore, indicated by the appended claims rather than by the foregoing description. All changes which come within the meaning and range of equivalency of the claims are to be embraced within their scope.

Claims

1. An apparatus for authenticating a user using a biometric reader, the apparatus comprising:

an input module that receives a biometric scan and a verification sequence entered by a user through a biometric reader, wherein the verification sequence comprises one of a set of biometric scans at multiple angles and a set of symbols entered using the biometric reader;

a matching module that validates the user entering the biometric scan, wherein validation comprises:

comparing the biometric scan with one or more authenticated biometric scans stored in a data store and validating the biometric scan in response to the biometric scan matching at least one authenticated biometric scan;

comparing the verification sequence with an authenticated verification sequence stored in the data store and validating the verification sequence in response to the verification sequence matching the authenticated verification sequence; and

an authentication module that authenticates the user to a system in response to the matching module validating the verification sequence against the authenticated verification sequence and further in response to the matching module validating the biometric scan against the authenticated biometric scan.

2. The apparatus ofclaim 1, wherein the biometric scan is a fingerprint and the biometric reader is a fingerprint reader further configured to measure displacement of a finger on the biometric reader.

3. The apparatus ofclaim 2, wherein the biometric reader is one of an area fingerprint reader and a swipe fingerprint reader.

4. The apparatus ofclaim 3, wherein the user enters the verification sequence through displacement of a finger on the biometric reader.

5. The apparatus ofclaim 4, wherein displacement is one of angular displacement of the finger from a neutral position on the biometric reader and linear displacement of the finger from the neutral position on the biometric reader.

6. The apparatus ofclaim 4, further comprising a feedback module that associates a plurality of symbols with a plurality of angular displacements, and wherein the verification sequence comprises a set of symbols entered by the user through angular displacement.

7. The apparatus ofclaim 4, further comprising a feedback module that associates a plurality of symbols with a plurality of linear displacements, and wherein the verification sequence comprises a set of symbols entered by the user through linear displacement.

8. The apparatus ofclaim 5, further comprising a feedback module that inserts a symbol associated with a particular displacement into the verification sequence in response to one of a change in direction of displacement and a completion of an interval with no change in the direction of displacement.

9. The apparatus ofclaim 1, wherein the symbols are one of numbers, letters, and icons.

10. The apparatus ofclaim 1, wherein the modules are implemented at the device driver level of a host computer.

11. An apparatus for authenticating a user using a sequence of biometric scans, the apparatus comprising:

an input module that receives a verification sequence comprising a plurality of biometric scans at variable angular displacements entered by a user using an area biometric reader;

a matching module that validates the verification sequence against a authenticated verification sequence comprising a plurality of biometric scans at variable angular displacements for an authorized user, wherein validation comprises:

comparing each biometric scan and its angular displacement in the verification sequence with a corresponding biometric scan and its angular displacement in the authenticated verification sequence;

determining that the verification sequence matches the authenticated verification sequence in response to each biometric scan and its angular displacement in the verification sequence matching each biometric scan and its angular displacement in the authenticated verification sequence; and

an authentication module that authenticates the user in response to the matching module validating the verification sequence of biometric scans against the authenticated verification sequence of biometric scans.

12. The apparatus ofclaim 11, wherein validating the verification sequence further comprises determining that the number of biometric scans in the verification sequence is equal to the number of biometric scans in the authenticated verification sequence.

13. The apparatus ofclaim 11, wherein the biometric scan is a fingerprint image received from the area biometric reader.

14. The apparatus ofclaim 13, wherein the authenticated verification sequence comprises one of a plurality of distinct fingerprint images and a single fingerprint image at multiple angular displacements.

15. A system for authenticating a user using a biometric reader, the system comprising:

a biometric reader that obtains a biometric scan and a verification sequence entered by a user, wherein the verification sequence comprises one of a set of biometric scans at multiple angles and a set of symbols;

an input module that receives the biometric scan and the verification sequence entered by the user;

comparing the biometric scan with one or more authenticated biometric scans stored in a data store and validating the biometric scan in response to the biometric scan matching the authenticated biometric scan;

16. The system ofclaim 15, further comprising a feedback module configured to provide at least one of audio and visual feedback to the user.

17. The system ofclaim 16, wherein the system further comprises a monitor for providing visual information and one or more speakers for providing audio feedback.

18. A method for authenticating a user using a biometric reader, the method comprising:

receiving a biometric scan and a verification sequence entered by a user through a biometric reader, wherein the verification sequence comprises one of a set of biometric scans at multiple angles and a set of symbols entered using the biometric reader;

comparing the biometric scan with one or more authenticated biometric scans stored in a data store;

validating the biometric scan in response to the biometric scan matching the authenticated biometric scan;

comparing the verification sequence with an authenticated verification sequence stored in the data store;

validating the verification sequence in response to the verification sequence matching the authenticated verification sequence; and

authenticating the user to a system in response to validating the verification sequence against the authenticated verification sequence, and further in response to validating the biometric scan against the authenticated biometric scan.

19. The method ofclaim 18, wherein the user enters the verification sequence through displacement of a finger on the biometric reader.

20. The method ofclaim 18, wherein displacement is one of angular displacement of the finger from a neutral position on the biometric reader and linear displacement of the finger from the neutral position on the biometric reader.